When Security, Privacy and
Forensics Meet in the Cloud
Dr. Michaela Iorga,
Senior Security Technical Lead for Cloud Computing
Co-Chair, Cloud Security WG
Co-Chair, Cloud Forensics Science WG
March 26, 2015
NIST MISSION:
To promote U.S. innovation and industrial competitiveness by advancing measurement
2
science, standards, and technology in ways that enhance economic security and improve our
quality of life
Privacy
Engineering
Project
*Standards Acceleration to Jumpstart the Adoption of Cloud Computing (SAJACC) in transition to private sector
•
•
•
•
•
•
•
•
Standards for Security Categorization of Federal Information and Information
Systems (FIPS 199); Feb 2004
Guide for Mapping Types of Information and Information Systems to Security
Categories (SP 800-60 Rev. 1); Aug 2008
Minimum Security Requirements for Federal Information and Information
Systems (FIPS 200); Mar 2006
Security Considerations in the System Development Life Cycle (SP 800-64 Rev.
2); Oct 2008
Guide for Applying the Risk Management Framework to Federal Information
Systems: A Security Life Cycle Approach (SP 800-37, Rev. 1); Feb 2010
Managing Information Security Risk: Organization, Mission, and Information
System View (SP 800-39); Mar 2011
Guide for Conducting Risk Assessments (SP 800-30 Rev. 1); Sep 2012
Security and Privacy Controls for Federal Information Systems and
Organizations (SP 800-53 Rev. 4); Apr 2013
4
•
•
•
•
Performance Measurement Guide for Information Security (SP 800-55 Rev. 1);
Jul 2008
Contingency Planning Guide for Federal Information Systems (SP 800-34 Rev.
1); May 2010
Information Security Continuous Monitoring for Federal Information Systems and
Organizations (SP 800-137); Sep 2011
Computer Security Incident Handling Guide (SP 800-61 Rev. 2); Aug 2012
• DRAFT Systems Security Engineering: An Integrated Approach to Building
Trustworthy Resilient Systems (SP 800-160 Draft); May 12, 2014
• DRAFT Supply Chain Risk Management Practices for Federal Information
Systems and Organizations SP 800-161 (Second Draft); Jun. 3, 2014
• Cloud-Adapted Risk Management Framework: Guide for Applying the Risk
Management Framework to Cloud-based Federal Information Systems (SP 800173); work in progress
• Security and Privacy Controls for Cloud-based Federal Information Systems (SP
800-174); work in progress
5
Slide courtesy of Bill Murray, AWS, Amazon
What Privacy means to you?
Cybersecurity Information Sharing Act :
“Senator Richard Burr argued that it
successfully balanced security and privacy”
“Critics still have two fundamental
problems”:
a) “Proposed cybersecurity act won’t boost
security;”
b) “’information sharing’ it {CISA) describes
sounds more than ever like a backchannel
for surveillance.”
“The bill, as worded, lets a private company share with the Department of Homeland
Security any information construed as a cybersecurity threat “notwithstanding any
other provision of law.”
Why Do We
Fear the Clouds ?
- Searching For
an Answer NIST: Research – Challenging Security Requirement for the
USG Cloud Adoption, (whitepaper)
MeriTalk:
1.... If I like it, it's mine.
2.... If it's in my hand, it's mine.
3.... If I can take it from you, it's mine.
4.... If I had it a little while ago, it is mine.
5.... If it's mine, it must never appear to be yours in any way.
6.... If I'm doing or building something, all the pieces are mine.
7.... If it looks just like mine, it's mine.
8.... If I saw it first, it's mine.
9.... If you are playing with something and you put it down, it automatically becomes mine.
10.... If it is broken, it's yours.
Trust & Trustworthiness (NIST SP 800-39*)
“Trust is an important concept related to risk management. How organizations
approach trust influences their behaviors and their internal and external trust
relationships. […] The reliance on IS services results in the need for trust
relationships among organizations”*
① Validated Trust. One organization obtains a body of evidence regarding the actions of
another organization and uses that evidence to establish a level of trust with the other
organization.
② Direct Historical. The track record exhibited by an organization in the past is used to
establish a level of trust with other organizations.
③ Mediated Trust. An organization establishes a level of trust with another organization
based on assurances provided by some mutually trusted third party.
④ Mandated Trust. An organization establishes a level of trust with another organization
based on a specific mandate issued by a third party in a position of authority.
⑤ Hybrid Trust. An organization uses one of the previously described models in
conjunction with another model(s).
*NIST SP 800-39: Managing Information Security Risk; Organization, Mission, and Information System View
Predictability
Manageability
Unlinkability
(or)
Obscurity
• Predictability: Enabling reliable assumptions by individuals and system participants about
what personal information is being processed, by whom, and why.
• Manageability: Providing the capability for granular administration of personal information
including alteration, deletion, and selective disclosure.
• Obscurity/ Unlinkability- Enabling the processing of personal information or events in an
information system without association to individuals beyond the operational requirements
of the system.
Data
Actions
Context
Likelihood
of
Problematic
Data
Actions
AIMING AT MORE THAN
WHAT ISO/IEC 27018
OFFERS!
Personal
Information
Impact
Privacy Risk
Consumer’s Level of Control & SP 800-37 RMF
Cloud-adapted RMF
SaaS
RMF
Cloud-adapted RMF
PaaS
RMF
RMF
Cloud-adapted RMF
You manage
IaaS
Stack image source: Cloud Security Alliance specification, 2009
Trustworthiness requires visibility into Provider’s practices and risk/information
security decisions to understand risk tolerance. But level of trust can vary & the
accepted risk depends on the established trust relation.
NIST’s Work – Helps Consumers Deal With an
Iceberg Architecture
SP 500-299
NIST SP 800-173:
Cloud-adapted Risk Management Framework
RMF
Risk Management Framework (SP 800-37)
Step 1: Categorize Information System
Step 2: Select Security Controls
Step 3: Implement Security Controls
Step 4: Assess Security Controls
Step 5: Authorize Information System
Step 6: Monitor Security Controls (Repeat
process as necessary)
CRM
F
consumer
nsumer
co
Cloud-adapted Risk Management Framework
(SP 800-173)
Step 1: Categorize Federal Information System
Step 2: Identify Security Requirements, perform a
Risk Assessment & select Security Controls
Step 3: Select best-fitting Cloud Architecture
Step 4: Assess Service Provider(s) & Controls
Step 5: Authorize Use of Service
Step 6: Monitor Service Provider (on-going, nearreal- time); Repeat process as necessary
RMF
provider
provider
Stack -- image
image source:
source: Cloud
Cloud Security
Security Alliance
Alliance
Stack
specification, 2009
2009
specification,
Cloud-adapted Risk Management Framework –cont.
CRMF
1. Follows NIST RMF (SP 800-37 Rev1) structure
2. Discusses the impact of cloud computing
architecture (deployment model & service type),
and cloud characteristics (multi-tenancy,
resource-pooling, elasticity, etc.) on
“Information System Boundary”.
3. Introduces the “Security Conservation
Principle” & “Privacy Conservation
Principle”
4. Discusses the notion of TRUST in a
cloud ecosystem, and introduces the notion
of TRUST BOUNDARY
Cloud-adapted Risk Management Framework –cont.
RMF
CRMF
consumer
RMF
provider
Risk Management Framework (SP 800-37 Rev1) :
Step 1: Categorize Information System
Step 2: Select Security Controls
Step 3: Implement Security Controls
Step 4: Assess Security Controls
Step 5: Authorize Information System
Step 6: Monitor Security Controls
(Repeat process as necessary)
Cloud-adapted Risk Management Framework
(SP 800-173, draft):
Step 1: Categorize System to be migrated
Step 2: Identify Security Requirements, perform
a Risk Assessment & select Security Controls
Step 3: Select best-fitting Cloud Architecture
Step 4: Assess Service Provider(s) & Controls
Step 5: Authorize Use of Service
Step 6: Monitor Service Provider [on-going, near-realtime ] (Repeat process as necessary)
Stack - image source: Cloud Security Alliance specification, 2009
Cloud-adapted Risk Management Framework –cont.
Step 1 : Categorize Federal Information System
Step 2 : Identify Security Requirements, perform a Risk Assessment & select Security Controls
deemed necessary.
Step 3 : Select best-fitting Cloud Architecture
Cloud-adapted Risk Management Framework –cont.
User-data Boundary
User-data Boundary
Step 4: Assess Service Provider(s) & Broker (if applicable)  leverage FedRAMP P-ATOs
or Agency-ATOs, or assess the controls  build necessary TRUST that the residual
risk is acceptable
Step 5: Authorize Use of Service  negotiate SLAs & Security SLA
Step 6: Monitor Service Provider(s) (on-going, near- real- time); Repeat process as necessary
Distributed Architecture =
Split Control & Responsibilities 
Security Conservation Principle
CLOUD ECOSYSTEM
Cloud Clients
(Browsers, Mobile Apps, etc.)
CLOUD ENVIRONMENT
Software as a Service (SaaS)
(Application , Services)
Platform as a Service (PaaS)
(APIs, Pre-built components)
Infrastructure as a Service
(VMs, Load Balancers, DB, etc.)
Physical Hardware
(Servers, Storage, Networking)
Privacy Conservation Principle
- Privacy Coin -
User’s Privacy vs. Data Privacy
User-data Boundary
User-data Boundary
What is the difference?
Privacy Enhanced User & Data Protection
Sharing raw sensitive data beyond the original trusted entity (system owner) introduces the
risk of a variety of harms to individual’s privacy:
• Stigmatization
• Power Imbalance
• Loss of Liberty
• Economic Loss (identity theft)
[NIST Privacy Engineering Objectives
and Risk Model Discussion Draft]
Defense mechanisms:
1. Encryption
 Concerns: Key management
Synthetic
2. Simple anonymization
Meta-Data
 Concerns: Deanonymization
when auxiliary data is
available, Limited applicability
(statistical datasets).
3. Differentially-privatized data
 Concerns: Limited applicability (statistical datasets). Accuracy concerns.
Can differential privacy protect Consumers against “nosey” cloud Providers?
Privacy Enhanced User-Data Protection
When Things Go Wrong in the
Cloud…
1. Segregation of potential evidence
5. Ease of anonymity and creating
in a multi-tenant system
2. Locating and collecting volatile
data
3. Evidence correlation across
multiple cloud Providers
4. Malicious code may
circumvent virtual
machine isolation
methods
false personas online
6. e-Discovery
7. Evidence correlation of
multiple copies at different
geo-locations
8. Data deletion - a) deleted when
needed for investigations.
b) often reveals information
about others
(overwritten)
Highest Priority Challenges & Scores
10
9
9
8
8
7
7
7
7
6
6
Confidentiality and PII
Root of trust
E-discovery
Deletion in the cloud
Lack of transparency
Timestamp synchronization
Use of metadata
Multiple venues and
geolocations
Data integrity and evidence
preservation
Recovering overwritten data
Cloud confiscation and resource
seizure
6
6
6
6
6
6
6
6
6
6
6
6
Potential evidence segregation
Secure provenance
Data chain of custody
Chain of dependencies
Locating evidence
Locating storage media
Evidence identification
Dynamic storage
Live forensics
Resource abstraction
Ambiguous trust boundaries
Cloud training for investigators
From NIST IR 8006: DRAFT NIST Cloud Computing Forensic Science Challenges
http://csrc.nist.gov/publications/PubsNISTIRs.html
Questions?
Thank you !
Additional Information
NIST Cloud Home Page:
http://www.nist.gov/itl/cloud
NIST Cloud Computing Collaborative Twiki:
http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/CloudSecurity
25